PGP signature embedding

Metalinks can now automatically include PGP signatures. When a file name ending in ".asc" is found, its content is embedded into the the metalink.

The command line metalink client aria2 automatically downloads the the PGP signature file, so it can be verified locally. Note that aria2 doesn't verify the signature itself.

This new feature is implemented carefully to have no impact on scalability and performance. Apache doesn't need to scan for further files or open them and read their content. The signature files content is saved together with the piece-wise hashes - which are created offline with the metalink-hasher script.

MirrorBrain is the first metalink generator that automates this. Hopefully, this makes way to more usage of this very interesting feature of metalinks.

This feature is already used by openSUSE, who (since 11.1 Beta3) sign their ISO images individually. Here is an example: http://download.opensuse.org/distribution/11.1/iso/openSUSE-11.1-DVD-i586.iso.metalink

Thus, openSUSE is the second project, after curl, to include PGP signatures into metalinks.